About Change Result Rules

On the Recast page in the Host Audits tab, you can create Change Result rules. A Change Result rule modifies the outcome of a host audit. These rules do not modify historical scan results.

Change Result rules target audit findings that are determined by the query shown in the Criteria column on the Recast table shown in the Host Audits tab.

View Findings and Assets Affected by a Change Result Rule

Once a Change Result rule is active, you can view the specific findings and assets that it impacts. This is the most effective way to verify that your change result query criteria (filters) are targeting the correct data set.

You can view findings and assets affected by a Change Result rule in three ways:

  • Inspect individual Change Result rules in the recast rule table.

  • Use the Recast Rule Details pane.

  • Identify findings in Explore > Findings by querying the findings table.

View Affected Findings or Assets from the Recast Table

To view findings or assets that are affected by a Change Result rule via the recast table:

  1. Select the Host Audits tab in Recast.

  2. Look for any row with Change Result in the Rule Type column.

  3. On the left side of the row click the button.

    A table appears.

  4. Click the Assets or Findings tab.

    A table appears with the list of assets pr findings that meet the criteria for that rule.

View Affected Findings or Assets from the Recast Rule Details Pane

To view findings or assets that are affected by a Change Result rule via the recast rule details pane:

  1. Select the Host Audits tab in Recast.

  2. Double-click on any row with Change Result in the Rule Type column.

  3. Double-click on any row of the table.

    A recast rule details pane appears with the Summary tab showing by default.

  4. Click the Assets tab or the Findings tab.

    A table appears with either the list of assets or the list of findings that meet the criteria for that rule.

    For more information, see Recast Rule Details.

View Affected Findings or Assets from Explore

To view findings or assets that are affected via Explore:

  1. In the left navigation, click Explore > Findings.

    The Findings page appears.

  2. On the left side of the table, click Findings > Host Audits.

  3. Click on the query-builder bar and build this query: Result Modified is equal to Result Changed.

    A table appears with the list of findings whose Result has been modified by a Change Result rule. These findings show a Change Result icon (such as ) along with a tooltip (such as Passed-Result Changed) in the Result column of the findings table.

Example Change Result Rule

In the following example, you create a rule to address host audit findings from a HIPAA audit. Since only some assets contain Protected Health Information (PHI), the rule changes results to Passed on assets without PHI:

  • Action — Change Result

  • Category — Custom

  • Audit File — HIPAA_Security_Rule_v1.1.0.audit

  • Audit Name — Check HIPAA Security

  • Original Result — Failed

  • New Result — Passed

  • Targets — Custom

  • Target Hosts — 192.0.2.1 - 192.0.2.10

  • Expires — Never